RADIUS TLS Hardening

System Overview

    • Operating System: Windows Server 2019 with RADIUS role
    • Hardening Configuration: TLS Protocols and Cipher according to Mozilla Intermediate

Problem

After applying the hardening configuration WLAN clients could not authenticate to RADIUS and therefore not connect to the wireless LAN.

Cause

RADIUS in our case uses EAP-TLS as authentication protocol. As defined in rfc5216 section-2.4 EAP-TLS requires the cipher suite TLS_RSA_WITH_3DES_EDE_CBC_SHA.

Further it recommends supporting TLS_RSA_WITH_RC4_128_SHA and TLS_RSA_WITH_AES_128_CBC_SHA [RFC3268]

Solution

Add the cipher suite TLS_RSA_WITH_3DES_EDE_CBC_SHA to the end of the cipher suites list.

Check

After applying the updated hardening configuration try to login to the WLAN.

References

 

Leave a Reply